[tl;dr sec] #61 - Effective Security OKRs, Scaling Threat Modeling, Webscan

Hey there,

I hope you’re doing well!

I’m experimenting with a few longer snippets (vs many small links) in this one, feel free to let me know what you think!

😴 Put Your Compliance Stress to Rest

Recently I was chatting with my friend Erik, who runs a security consulting firm, and he wrote:

Intending “asmt,” for “assessment.” I initially found it a little strange that his firm was offering soothing whispers-as-a-service (SWaaS), but hey, you gotta do what pays the bills.

If you’re not familiar with autonomous sensory meridian response (ASMR), you can check out many videos on Youtube about it, where generally a person whispers soothing words while making some repetitive sounds. For example, you can have all your negative energy removed, watch Shrek be whispered to, or visit a steampunk optometrist.

Erik and I agreed that there is an unfulfilled niche in ASMR + security. Why are there no enterprise compliance ASMR videos yet?

While not exactly that, I did later stumble across ASMR for Developers, which is pretty hilarious. Thanks Sarah Liu for the link!

🎙️ Podcast Recordings

If you missed them live, here are the recordings for me joining the DevSlop and Absolute AppSec podcasts. Both podcasts have tons of great guests, so definitely check out other episodes they’ve done 👍

Oh yeah, and Nancy pulled out a 2min clip where I demoed Semgrep’s autofix functionality, and you can see how this can work in a GitHub PR comment auto-suggest workflow here.

🍖 No Newsletter Next Week

I’m taking next week off. I hope you get the chance to relax a bit, and stay safe!

Web Security

webscan
Another neat tool by Samy Kamkar: “A browser-based internal network scanner that detects victim’s LAN IP (loops back via WebRTC) & other network hosts just by visiting a page. Can be chained with NAT Slipstreaming + other attacks; works on mobile; no TURN/STUN/ICE needed.”

10 React security best practices
Great cheatsheet by Ron Perris.

Announcing Curiefense: An Open-Source Security Platform
Reblaze has open sourced Curiefense, a free, open-source web security platform that extends Envoy Proxy to include WAF, Bot Management, application-layer DDoS, and more.

Threat Modeling

Threat Modeling Manifesto
Some well known threat modeling folks wrote a manifesto, sort of like the Agile Manifesto, on what they believe are the core values, principles, etc. of threat modeling.

Absolute AppSec Ep. #113 - Jacob Salassi - Modeling Threats, Risk Assessments
This discussion with Jacob Salassi is probably one of the better resources I’ve encountered on threat modeling recently 👍 Jacob discusses the practical realities and lessons learned of scaling threat modeling in a engineering-drive, hypergrowth company (Snowflake). I won’t be able to list all the great stuff here, but:

• You’re never going to scale if the security team needs to be involved in threat modeling, it has to be developer-lead.

• Engineers don’t know what “threat modeling” is. But they’re great at modeling the systems they’re building, so Jacob instead has them “model threats.”

• In order to get widespread threat modeling adoption, ask yourself: how can we make it as easy and frictionless for developers as possible?

• Threat modeling is often referred to as “more art than science.” That doesn’t work when you’re trying to get consistent threat modeling quality across many engineers in a large org. Instead, you need to build guardrails, document the process, and streamline it as much as possible so it’s repeatable.

• Snowflake’s security team has done some neat work in automating parts of threat modeling. As referenced in tl;dr sec 46, they have automation to go from draw.io diagram ➡️ to a set of standard risks you need to handle ➡️ to recommended security controls to ➡️ recommended security unit tests, and more.

• Jacob has removed as many references to “secure coding standards” internally as possible. Security is not a separate thing, security is inherently a part of building secure, quality software.

Container Security

rewanth1997/containers-from-scratch
Writing a container in a few lines of Go code, using a few Linux syscalls. Rewanth Cool’s version of Liz Rice’s original implementation allows running the containers without giving them root privileges.

Blue Team

ComodoSecurity/openedr
Comodo has open sourced their EDR Windows agent and seemingly some adjacent components.

Misc

mame/quine-relay
A quine is a program that takes no input and produces a copy of its own source code as its output. This quine by Yusuke Endoh is a Ruby program that generates a Rust program that generates a Scala program that generates … (through 128 languages in total)… REXX program that generates the original Ruby code again 🤯 

Have a nice flight — without COVID-19
One Medical’s advice on safely flying.

Organizing Feedly by Tags
It’s always neat to hear how voracious readers like Daniel Miessler structure their information intake. We’ve chatted a few times about it, and it’s been cool to see how our processes overlap and differ. I’ll try to write about my process soon if you’re curious. It may or may not involve multiple tools and custom glue code 😅

Building effective security OKRs

This post is an abridged version of Alex Smolen’s LocoMocoSec 2020 talk. 💯 article, here are some things that especially stood out:

• Define the mission with high-level security objectives: Make sure security objectives make sense outside the security team and make it clear how security supports the organizational mission.

• Create balanced security objectives: Balance things like reducing actual risk vs perceived risk, improving security posture vs reducing development velocity, etc.

• Think of your security team as a product: Can you ship an MVP of a new security process or tool, and then rapidly learn and iterate based on feedback? Consider developer UX in process and tool changes. Consider sending out Net Promoter Score surveys after threat modeling exercises. Would dev teams recommend your security team to other devs?

• LaunchDarkly uses Jira as the single source of tracking vulnerability information, and they use custom issue types with: type (CWE), severity (CVSS), service and team involved, source, and time introduced, identified, and mitigated.

• Example metrics: time to detection of vulnerabilities, time to remediation, and average vulnerabilities over time. These can all be done by vulnerability type, source, team, etc.

• Having a well-defined key result makes the impacts of initiatives much clearer. For example, will adding a new SAST or DAST tool reduce time to detection?

• Recommends Ryan McGeehan’s simple risk analysis, “a quantitative, probabilistic risk measurement method.”

• Oh hey, he had his team watch my AppSec Cali talk 🥰

• Prioritize projects based on impact and effort as well as confidence - how likely is this to result in impact? Also consider the cost of delay- a risk that exposes the organization today is higher priority than something that prevents a future problem.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint